on OpenWRT, in general settings, I changed the IP to the 10.1.1.2/32 sub
Here is my UDM PRO config, it's work fine -- I turn WG off when try to connect with my iPhone or OpenWRT since I didn't add them to the config file yet but but the Phone and the UDM work fine
[Interface]
PrivateKey = ###
Address = 10.1.1.2/24
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey =####
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = ##:51820
Also why dont you create a route with vpn routing package and then direct the traffic to the correct ip? That would make your life easier, i was having similar issues.
just realised I didn't port forward WG port from my main gateway to the Raspberry PI (OpenWRT), but it's partially working.
What do you mean for the route/VPN routing package?
what I'm try to do is to reroute all the traffic from one client to the AWS server, which work fine with my UDM PRO (I need my client to have a specific IP from AWS) but I'm trying to setup the same with the openWRT which seems to only work partially
When configuring the server side for multiple clients, they must have unique tunnel IP addresses. Associating the same IP (10.1.1.2) with multiple public keys will not work, especially of course if they are actively connected at the same time.
Wireguard does not "push" IP settings or other configuration across the tunnel, so it is necessary to manually set the client's IP and netmask on the client end to match the server's allowed_ip and network subnet.
Test that you can ping 10.1.1.1 from your end. Look at your routing table confirm that it is using 10.1.1.1 as the gateway and the interface is the wireguard interface. Test if you can ping to the Internet with a numeric IP such as 8.8.8.8. Do this both from the router itself and from a LAN device. If that works but you can't go to sites on the Internet, it is probably a DNS problem.
Masquerading is enabled at the zone level, and actually, now that I look at your picture again, it does look like it's already enabled. I thought the lan firewall zone screenshot was the vpn one.
It is often easier to debug these things by looking at the complete config...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
This is wrong, it needs to be /24 so that the server end of the tunnel (10.1.1.1) is also in the subnet.
(Use /32 on a client's allowed_ips to prevent the client from changing to a different IP than intended. This is a security measure enabling IP-based firewalling at the server).
UCI does not know of a network named wg0, since it was created and configured directly by wireguard. There is a device named wg0, so this should be list device wg0.
You may also want to set input to ACCEPT so that you can ping the client from the server end. Or make a rule specifically allowing pings like the one that is on wan.
Now if it still doesn't work, come back and post something more than "it still doesn't work." Do the tests that I mentioned in a previous post and post those results. Dump out the routing table on both sides and confirm that the routes make sense.
===
Also though it doesn't seem to be breaking anything, it would be good to change the name of your 'WAN' network back to 'wan' Uppercase in network names is not a good practice especially since LuCI likes to uppercase and lowercase them on the screen.